chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

REQUIRES REGENERATING ansible.cfg!

ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml

@@ -0,0 +1,62 @@
+---
+- name: gather facts if required
+  ansible.builtin.setup:
+    gather_subset:
+      - distribution
+      - virtualization_type
+
+- name: install and configure nftables
+  when: security_firewall_enabled is truthy
+  become: true
+  notify:
+    - 'security : [firewall] restart service'
+  block:
+    - name: install nftables
+      ansible.builtin.apt:
+        pkg:
+          - nftables
+
+    - name: enable nftables
+      ansible.builtin.systemd:
+        name: nftables
+        enabled: true
+        masked: false
+
+    - name: create config dir
+      ansible.builtin.file:
+        path: /etc/nftables.d
+        mode: '0700'
+        state: directory
+
+    - name: set firewall templates facts
+      ansible.builtin.set_fact:
+        security_firewall_supervisors_ip4: '{{ external_provisioner_source_ips | default(provisioner_facts.controllers_list.values()) | list | ansible.utils.ipv4 }}'
+        security_firewall_supervisors_ip6: '{{ external_provisioner_source_ips | default(provisioner_facts.controllers_list.values()) | list | ansible.utils.ipv6 }}'
+        security_firewall_dns4_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns4'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv4, true) }}"
+        security_firewall_dns6_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns6'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv6, true) }}"
+
+    - name: base config file
+      ansible.builtin.template:
+        src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2"
+        dest: /etc/nftables.conf
+        mode: '0700'
+
+    - name: base tables definition
+      ansible.builtin.template:
+        src: "../templates/system/nftables/{{ item }}.table.j2"
+        dest: "/etc/nftables.d/{{ item }}.table"
+        mode: '0600'
+      loop:
+        - 01-nat
+        - 02-mangle
+        - 03-filter
+
+    - name: common firewall rules
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "/etc/nftables.d/{{ (item.split('/') | last)[:-3] }}"
+        mode: '0600'
+      loop: "{{ q('fileglob', '../templates/system/nftables.d/*.j2') }}"
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers

ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml

@@ -0,0 +1,229 @@
+---
+- name: '[setup] gather facts if not already done'
+  setup:
+    gather_subset:
+      - distribution
+
+- name: '[system] setup DNS server'
+  block:
+    - name: disable resolv.conf updates from dhclient
+      ansible.builtin.copy:
+        dest: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
+        content: |
+          #!/bin/sh
+          make_resolv_conf(){
+            :
+          }
+        owner: root
+        group: root
+        mode: '0755'
+    - name: update resolv.conf
+      ansible.builtin.template:
+        src: ../templates/system/debian/resolv.conf.j2
+        dest: /etc/resolv.conf
+        mode: '0644'
+        owner: root
+        group: root
+  become: true
+  when: security_configure_resolve_conf is truthy
+
+- name: '[system] re-allow DHCP client to setup DNS resolvers'
+  become: true
+  ansible.builtin.file:
+    path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
+    state: absent
+  failed_when: false
+  when : security_configure_resolve_conf is falsy
+
+- name: '[system] add sysctl tweaks'
+  become: true
+  ansible.builtin.template:
+    src: ../templates/system/debian/sysctld.local.conf.j2
+    dest: /etc/sysctl.d/local.conf
+    mode: '0644'
+  when: security_sysctl_configuration is truthy
+  vars:
+    sysctl_values: "{{ security_sysctl_configuration }}"
+  notify:
+    - 'security : [system] reload sysctl configuration'
+
+- ansible.builtin.include_tasks:
+    file: firewall.yml
+    apply:
+      tags: [firewall]
+  tags: [firewall]
+
+- name: '[apt] force HTTPS sources'
+  become: true
+  when: security_apt_force_https is truthy
+  block:
+    - name: '[apt] fetch apt information'
+      ansible.builtin.command:
+        cmd: find /etc/apt -maxdepth 2 -path \*sources.list -o -path \*sources.list.d\* -type f
+      register: apt_source_files
+      changed_when: false
+    - name: '[apt] updating sources'
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: 'http://'
+        replace: 'https://'
+      loop: "{{ apt_source_files.stdout_lines | difference(security_apt_https_ignore_list) }}"
+      notify:
+        - 'security : [apt] update sources'
+
+- name: '[ssh] hardening sshd'
+  become: true
+  block:
+    - name: '[ssh] setup sshd_config'
+      ansible.builtin.template:
+        src: ../templates/openssh-server/sshd_config.j2
+        dest: /etc/ssh/sshd_config
+        mode: '0600'
+    - name: '[ssh] ensure directories exist'
+      ansible.builtin.file:
+        path: /etc/ssh/sshd_config.d
+        state: directory
+        mode: '0700'
+    - name: '[ssh] setup sshd_config.d'
+      ansible.builtin.template:
+        src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2
+        dest: /etc/ssh/sshd_config.d/encryption.conf
+        mode: '0600'
+    - name: '[ssh] remove low security keys'
+      ansible.builtin.file:
+        path: "/etc/ssh/{{ item }}"
+        state: absent
+      loop:
+        - ssh_host_ecdsa_key
+        - ssh_host_ecdsa_key.pub
+        - ssh_host_rsa_key
+        - ssh_host_rsa_key.pub
+  notify:
+    - 'security : [ssh] restart service'
+
+- name: '[utils] install security and audit tools'
+  become: true
+  ansible.builtin.apt:
+    update_cache: true
+    force_apt_get: true
+    cache_valid_time: 3600
+    pkg:
+      - lsof # rkhunter
+      - rkhunter
+      - unhide # rkhunter
+    state: present
+
+- name: '[system] configure rkhunter'
+  become: true
+  block:
+    - name: '[rkhunter] create include dir'
+      ansible.builtin.file:
+        path: /etc/rkhunter.d
+        state: directory
+        mode: '0750'
+    - name: '[rkhunter] copy configuration'
+      ansible.builtin.template:
+        src: ../templates/rkhunter/rkhunter.conf.local.j2
+        dest: /etc/rkhunter.conf.local
+        mode: '0640'
+    - name: '[rkhunter] setup cronjob'
+      ansible.builtin.cron:
+        name: rkhunter check
+        minute: 0
+        hour: 4
+        day: "*/3"
+        job: "/usr/bin/rkhunter -c 2>&1"
+        state: present
+
+- name: get current clamav version
+  ansible.builtin.shell: >
+    dpkg -l | awk '$2=="clamav"{ print $3 }' | cut -d '-' -f 1
+  register: clamav_version_cmd
+  changed_when: false
+  failed_when: false
+
+- name: '[system] clamav'
+  become: true
+  block:
+    - name: '[clamav] retrieve and install clamav package'
+      ansible.builtin.apt:
+        deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb
+        state: present
+      when: clamav_version_cmd.get("stdout", "") != security_clamav_version
+    - name: '[clamav] add clamav group'
+      ansible.builtin.group:
+        name: clamav
+        system: true
+        state: present
+    - name: '[clamav] add clamav user'
+      ansible.builtin.user:
+        name: clamav
+        comment: clamav
+        create_home: false
+        expires: -1
+        group: clamav
+        shell: /bin/false
+        system: true
+        state: present
+    - name: '[clamav] setup directories'
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: clamav
+        group: clamav
+        mode: '0750'
+      loop:
+        - /etc/clamav
+        - /var/lib/clamav/quarantine
+        - /var/log/clamav
+    - name: '[clamav] copy clamd.conf'
+      ansible.builtin.template:
+        src: '../templates/clamav/clamd.conf.j2'
+        dest: /etc/clamav/clamd.conf
+        owner: clamav
+        group: clamav
+        mode: '0640'
+    - name: '[clamav] copy freshclam.conf'
+      ansible.builtin.template:
+        src: '../templates/clamav/freshclam.conf.j2'
+        dest: /etc/clamav/freshclam.conf
+        owner: clamav
+        group: clamav
+        mode: '0640'
+    - name: '[clamav] copy freshclam service file'
+      ansible.builtin.template:
+        src: '../templates/clamav/clamav-freshclam.service.j2'
+        dest: /usr/lib/systemd/system/clamav-freshclam.service
+        mode: '0644'
+    - name: '[clamav] copy clamd service file'
+      ansible.builtin.template:
+        src: '../templates/clamav/clamav-clamd.service.j2'
+        dest: /usr/lib/systemd/system/clamav-clamd.service
+        mode: '0644'
+    - name: '[clamav] setup cron job'
+      ansible.builtin.cron:
+        name: clamav full system scan
+        minute: 30
+        hour: 5
+        weekday: 0
+        job: "/usr/local/bin/clamscan --recursive --infected --exclude-dir='^/(sys|proc)' --database=/var/lib/clamav --move=/var/lib/clamav/quarantine --log=/var/log/clamav/weekly.log / 2>&1"
+        state: present
+  notify:
+    - 'security : [clamav] daemon reload'
+    - 'security : [freshclam] restart service'
+    - 'security : [clamd] wait for signatures'
+    - 'security : [clamd] restart service'
+
+- name: '[system] hardening system'
+  become: true
+  block:
+    - name: '[system] login.defs'
+      ansible.builtin.template:
+        src: '../templates/system/{{ ansible_facts["distribution"] | lower }}/login.defs.j2'
+        dest: /etc/login.defs
+        mode: '0644'
+    - name: '[system] limits.conf'
+      ansible.builtin.template:
+        src: '../templates/system/{{ ansible_facts["distribution"] | lower }}/limits.conf.j2'
+        dest: /etc/security/limits.conf
+        mode: '0644'